Unit 2: Linux/Unix Acquisition 2.1 Linux/Unix Acquistion Memory Acquisition

>> In 2008, the first open memory forensics workshop was organized
to bring together digital investigation researchers and practitioners
to discuss the latest advancements in volatile memory analysis.

2008年，第一个开放内存取证研讨会被组织起来，将数字调查研究人员和实践者聚集在一起，讨论易失性内存分析的最新进展。

To start, let's learn how to acquire RAM from a Linux UNIX machine.

首先，让我们学习如何从Linux UNIX机器获取RAM。

For a host-based memory dump approach, the investigator needs
to have physical access to the system.

对于基于主机的内存转储方法，研究人员需要对系统进行物理访问。

MEMDUMP is a part of the coroner's toolkit, TCT, developed by the pioneers of computer forensics,
Dan Farmer and Wietse Venema in 1999.

MEMDUMP是验尸官工具包TCT的一部分，TCT是由计算机取证学先驱丹·法默(Dan Farmer)和维茨·韦内玛(Wietse Venema)于1999年开发的。

Since it was developed early, it may not work well to dump out the restricted range
of addresses for the newer Linux distributions and UNIX [inaudible].

由于它是早期开发的，它可能不能很好地为新的Linux发行版和UNIX(听不清)转储有限的地址范围。

To overcome its limitations, open source tools,
Linux Memory Extractor, LiME, and Fmem were developed.

为了克服其局限性，开发了开源工具、Linux内存提取器、LiME和Fmem。

Both tools will load a kernel module to the system that allows full memory captures.

这两个工具都将向系统加载一个内核模块，该模块允许捕获全部内存。

We will show a demo of LiME memory dump and the basic examinations in another video.

我们将在另一个视频中演示LiME内存转储和基本测试。

The commercial tool live response from E-FENSE uses a USB dongle
to collect live volatile data in a dump memory.

来自E-FENSE的商业工具live response使用USB加密狗在转储内存中收集实时易变数据。

 

It is easy to perform.

它很容易执行。

You simply insert the USB dongle to a suspect machine
and then select your desired data from a menu of options.

您只需将USB加密狗插入可疑的计算机，然后从选项菜单中选择所需的数据。

Live response will then collect and then store data directly into USB.

实时响应将收集数据，然后直接存储到USB。

The limitation of using the host-based acquisition tools is
that examiners have to access the physical system.

使用基于主机的采集工具的局限性是，检测人员必须访问物理系统。

Are there any acquisition tools that allow memory acquisition remotely?

是否有允许远程获取内存的获取工具?

Yes. A commercial tool called F-Response allows examiners
to conduct forensic acquisition remotely.

是的。一种名为F-Response的商业工具允许审查人员远程进行取证。

F-Response use a pair of dongles, one for the suspect system
and another for the forensic system.

F-Response使用一对加密狗，一个用于可疑系统，另一个用于法医系统。

Once the executable from the suspect system dongle runs,
it acts as an agent and awaits for a connection.

一旦来自可疑系统加密狗的可执行文件运行，它就充当代理并等待连接。

After invoking the executable from the examiner dongle and then connecting to suspect machine,
the investigator can collect boast volatile data, including memory, and nonvolatile data
by controlling and instructing the agent.

在从主考软件狗调用可执行文件，然后连接到可疑机器后，调查员可以通过控制和指示代理来收集包括内存在内的volatile数据和非volatile数据。

 

Demo: Linux Memory Dump

演示:Linux内存转储

 

>> In one of the earlier videos we demoed how to use FTK imager to acquire a USB drive.

>>在之前的一个视频中，我们演示了如何使用FTK imager获取USB驱动器。

And I also mentioned in that video FTK imager is able to dump out memory.

我在视频中也提到过FTK imager能够转储内存。

But FTK imager is a window's tool.

但FTK imager是一个窗口的工具。

So here we look into one of the famous Linux Unix memory dump tool called Lime.

因此，我们在这里研究一个著名的Linux Unix内存转储工具，称为Lime。

Before we start, I have to emphasize again, we were bringing our own trusted tools,
and we also will bring out all the results to external drive or USB.

在我们开始之前，我必须再次强调，我们带来了我们自己信任的工具，我们也将把所有的结果带到外部驱动器或USB。

So I'm using my own trusted tools saving the folder called the Trusted Tools from USB.

所以我使用我自己的可信工具从USB保存名为可信工具的文件夹。

And if we get into the directory -- Lime directory -- with your list, we see Lime module.

如果我们进入目录- Lime目录-和你的列表，我们看到Lime模块。

Okay? So this module will be inserted into the suspected machine's Kernel.

好吧?因此，这个模块将被插入到可疑机器的内核中。

Because of that we are able to acquire the restricted areas

in memory and dump out of full memory.

正因为如此，我们才能够获取内存中的受限区域并将其从满内存中转储出来。

Now you have to document that if people are questioning you about you are modifying data.

现在你必须证明，如果有人问你关于你正在修改数据。

 

You certainly -- you insert the module into it.

你当然可以把模块插入其中。

So how do we insert this module into the kernel and to dump out memory?

那么，我们如何将这个模块插入内核并转储内存呢?

So the command is quite long, and let me try it here.

这个命令很长，让我在这里试试。

And actually the instructions are provided for in activities
for you to exercise as well to practice.

实际上这些指导都是为你们在活动中练习和练习而提供的。

So now here let's start to run this Lime command.

现在让我们开始运行这个Lime命令。

So we certainly want to insert mod --
insert mod and then the module name certainly is the Lime module we are interested.

我们当然想插入模，插入模然后模块名当然是我们感兴趣的Lime模块。

We want to insert this module into the kernel and the path specifies
where this image dump will be reside.

我们希望将此模块插入内核，路径指定映像转储将驻留在何处。

In our case, we want to put that into the evidence folder
that is on the USB -- is that on USB?

在我们的例子中，我们想把它放到USB上的证据文件夹里——那个在USB上吗?

So desktop and evidence folder.

桌面和证据文件夹。

And we call it memory_dump.bin -- means binary.

我们称之为memory_dump。bin——表示二进制。

And the name you can -- you can give it any name which is meaningful.

你可以给它取任何有意义的名字。

Later you can use that information to remind you what kind of image is that.

稍后您可以使用这些信息来提醒您这是什么样的图像。

Followed by format=padded.

其次是格式=垫。

That's it.

就是这样。

So hit enter, then it will start to dump out memory into a file called memory_dump.bin
and then save in the evidence folder.

所以按回车键，它就会开始将内存转储到一个名为memory_dump的文件中。然后保存在证据文件夹中。

Now depending on how large is your memory, it will take a while.

现在取决于你的内存有多大，这需要一段时间。

And so here -- just excuse me, I will not run
that because I have already runned earlier to have memory dump.

这里，不好意思，我就不运行了因为我之前已经运行过内存转储了。

Now once you dump out memory, you need to do a little bit cleaning.

现在，一旦您转储内存，您需要做一点清理。

Because you insert your module into it.

因为你将你的模块插入其中。

So we probably should remove that.

所以我们应该把它去掉。

So list, mark, and to find out whether your line modules still there, definitely it's there.

因此，列出，标记，并找出你的行模块是否还在那里，它肯定在那里。

Okay? So if you do graph -- in my case it's not because I did not really rung it.

好吧?所以如果你做图形，在我的例子中不是因为我没有把它标出来。

And then you'll remove it -- remod line.

然后你要删除它，remod line。

So now after this then you clean up your own line,
certainly here we did not have the line module, so you get this message.

这之后，你要清理你自己的行，当然这里我们没有行模块，所以你得到这个消息。

Okay, going back to the evidence file --
Okay. CD to my evidence folder.

好了，回到证据文件。CD到我的证据文件夹。

We should have this memory dump.bin there.

我们应该有这个内存转储。本。

It's a binary file.

它是一个二进制文件。

 

There's no data structures.

没有数据结构。

So how -- what is useful about this, right?

这有什么用呢?

And later we'll talk about many fantastic tools, it will pull out meaningful information.

稍后我们将讨论许多奇妙的工具，它将提取出有意义的信息。

And then process information; password information.

然后处理信息;密码信息。

Now at this point, at least we want to try a very simple tool called a string.

现在，至少我们想尝试一个非常简单的工具叫做字符串。

Strings has various versions for Linux, Unix, Windows.

字符串有不同版本的Linux、Unix和Windows。

It is able to print out certain lengths of strings,
the lengths by default is greater not equal to 4 bytes.

它可以打印出一定长度的字符串，默认长度大于不等于4字节。

Those strings it will dump out -- they will come out, dump out from this file.

它会从这个文件中导出这些字符串。

So I had one here, I said instead of for greater equal to 4 bytes about 8 bytes.

这里有一个，我说的不是大于4字节，而是8字节。

I tell you why I want to use 8 bytes later, okay?

我告诉你为什么我要用8字节，好吗?

And the strings to incorporate the file, so the file I want it
to look into is the memory dump file.

要合并文件的字符串，我想让它看的文件是内存转储文件。

So look into this memory dump file.

因此，请查看这个内存转储文件。

Print out any strings which is -- has more than or equal to 8 bytes long.

打印出长度大于等于8字节的字符串。

And why I want to do 8?

为什么要写8呢?

Because I want to find out whether my password -- this machine's password is captured.

因为我想知道我的密码——这台机器的密码是否被获取。

The password is forensics.

密码是法医学。

So because it's the memory, it will grab out many,
many information with a 8 greater than or equal to 8 bytes.

因为是内存，它会取出很多很多大于等于8字节的信息。

So here, and I use grep -- try to find out --
I just want to find out whether my password is there, right?

这里，我用grep，我想知道密码是否在这里?

So I said, I want to grab any string which is started forensics.

所以我说，我想要任何开始取证的字符串。

Now you -- that -- this command will dump out strings greater than or equal to 8 bytes,
and also it's started with forensics.

这个命令会输出大于等于8字节的字符串，这也是取证开始的。

So you grep that, now you see those other strings.

现在你看到那些其他的字符串。

Okay? Forensics and then this is from -- dump out from my memory.

好吧?法医学，这是…从我的记忆里倒出来。

Yeah. So at this point, I will end up here,
but later we will see many more data carving tools -- we call data carving tools,
which needed any file system structures.

是的。现在，我将在这里结束，但是稍后我们将看到更多的数据雕刻工具——我们称之为数据雕刻工具，它需要任何文件系统结构。

It is able to carve out meaningful data from binary files.

它能够从二进制文件中提取有意义的数据。

So hopefully you enjoy this demo.

希望你们喜欢这个演示。

Talk to you later.

以后再聊。

 

转载于:https://www.cnblogs.com/sec875/articles/10013427.html